[Tickets #7646] Driver 'file' fails to open files with '..' anywhere in name

bugs at horde.org bugs at horde.org
Wed Nov 5 22:23:59 UTC 2008 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/7646
------------------------------------------------------------------------------
  Ticket             | 7646
  Created By         | andrew at aklabs.net
  Summary            | Driver 'file' fails to open files with '..' anywhere
                     | in name
  Queue              | Gollem
  Version            | 1.0.3
  Type               | Bug
  State              | Unconfirmed
  Priority           | 2. Medium
  Milestone          |
  Patch              | 1
  Owners             |
+New Attachment     | file.php.patch
------------------------------------------------------------------------------


andrew at aklabs.net (2008-11-05 17:23) wrote:

This may already be fixed upstream in latest head, and if so, please  
forgive. I am using 1.0.3 because it's what's in Ubuntu 8.04 LTS's  
repository as of the latest apt-get update.

When using the 'file' VFS driver on a Linux host using Horde 3.1.7,  
IMP H3 4.1.4 and Gollem H3 1.0.3, users are unable to open (or attach  
to IMP outgoing messages), any files that contain '..' anywhere in the  
file name. Test case:

Create a file in a VFS share with the filename 'test.pdf'. Opens correctly.
Rename the file to 'test..pdf'. The file will silently fail to attach  
to IMP messages, and will fail to view with the following error:

-------------------------------------------------

Warning: file_get_contents(/vfsdir/horde//filepdf)  
[function.file-get-contents]: failed to open stream: No such file or  
directory in /usr/share/horde3/lib/VFS/file.php on line 82

Warning: Cannot modify header information - headers already sent by  
(output started at /usr/share/horde3/lib/VFS/file.php:82) in  
/usr/share/horde3/lib/Horde/Browser.php on line 978

Warning: Cannot modify header information - headers already sent by  
(output started at /usr/share/horde3/lib/VFS/file.php:82) in  
/usr/share/horde3/lib/Horde/Browser.php on line 984

Warning: Cannot modify header information - headers already sent by  
(output started at /usr/share/horde3/lib/VFS/file.php:82) in  
/usr/share/horde3/lib/Horde/Browser.php on line 1003

-----------------------------------------------

Solution: I opened up /usr/share/horde3/lib/VFS/file.php and found the  
error inside of _getNativePath where '..' is replaced with ''. The  
reason for this is obvious (security), but the method failed to take  
into account situations like this where the user just accidentally put  
two ..'s before an extension. I replaced the str_replace call with an  
ereg_replace call to only do this at the beginning of the filename.  
Works like a charm. I tried naming files things like  
'../sneakyfile.pdf' and such, and gollem wasn't freaked out by any  
tests I could do.

Patch is attached to bug report in unified diff format.

More information about the bugs mailing list